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DoD  Information  Technology  Modernization:  A 
Recommended  Approach  to  Data  Center  Consolidation  and 
Cloud  Computing 

TASK 

In  May  201 1 ,  Deputy  Secretary  of  Defense  William  J.  Lynn  tasked  the 
Defense  Business  Board  (hereafter  referred  to  as  “the  Board”)  to  form  a 
Task  Group  to  provide  recommendations  as  to  how  the  Department  of 
Defense  (DoD)  might  apply  proven  best  business  practices  to  Information 
Technology  (IT)  modernization,  Data  Center  Consolidation  (DCC),  and  the 
efficient,  effective,  and  secure  implementation  of  Cloud  computing  to 
support  DoD  business  approaches  and  its  war-fighting  mission.  A  copy  of 
the  Terms  of  Reference  (TOR)  outlining  the  scope  and  deliverables  for  the 
Task  Group  can  be  found  at  Tab  A. 

David  Langstaff  served  as  the  Task  Group  Chair.  The  other  Task 
Group  members  were  Atul  Vashistha,  Bonnie  Cohen,  Patrick  Gross,  and 
Kevin  Walker.  Captain  Ronald  Carr,  USN,  and  Lieutenant  Colonel  Edward 
Lengel,  USAF,  served  as  the  Board  Military  Assistants  to  the  group. 


PROCESS 

The  Task  Group  conducted  extensive  interviews  of  both  public  and 
private  sector  entities  as  well  as  reviews  of  recent  journal  articles,  technical 
and  trade  publications,  and  industry  circulars.  The  intent  was  not  to  be 
prescriptive  toward  DoD  IT  systems,  but  to  provide  applicable  insights 
gained  from  successful  private  sector  IT  modernization  experiences.  The 
study  was  undertaken  with  a  clear  understanding  of  the  mission  of  the 
Department,  the  vital  importance  of  IT  in  modern  warfare,  and  the  need  for 
security  with  respect  to  both  data  centers  and  Cloud  computing. 

The  Task  Group’s  draft  findings  and  recommendations  were 
presented  to  the  Board  for  deliberation  at  the  January  19,  2012  quarterly 
Board  meeting  where  the  Board  voted  to  approve  the  recommendations. 
See  Tab  B  for  a  copy  of  the  brief  and  recommendations  as  approved  by 
the  Board. 
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FINDINGS 

Given  today’s  technological  advances  in  Cloud  computing  and  data 
consolidation,  DoD  has  the  opportunity  for  significant  positive  impact  on  its 
core  mission  through  IT  modernization.  This  modernization  should  not  be 
viewed  as  an  end  in  itself,  but  as  a  means  to  a  greater  end  of  enhanced 
combat  capability.  Selected  findings  are  listed  below,  with  the  complete 
findings  listed  in  the  accompanying  presentation. 

The  Department’s  current  information  technology  systems  were  built 
in  a  decentralized  manner,  resulting  in  a  myriad  of  legacy  infrastructure  that 
is  difficult  to  blueprint.  The  Department’s  FY12  budget  for  IT  is  $38.5 
billion,  $24  billion  of  which  is  dedicated  to  infrastructure  alone. 


Context:  DoD  IT  Today 


■  FY1 2  DoD  IT  Budget  $38.5B 


Non-Infrastructure 
(Systems  Acquisition) 
$14.5  Billion 
38% 


Infrastructure 
$24  Billion 
62% 


End  User  Systems 
$5.1  Billion/21  % 


Infrastructure  Support 
$6.5  Billion/27% 


Mainframes  &  Servers 


DoD  IT  Scale 

772+  data  centers 
6,000+  locations;  15,000+  networks 
70,000+  servers;  3  million+  networked  users 


Telecommunications 
$9.9  Billion/41  % 


DoD  IT  Infrastructure  $24.0B 


7  million+  IT  devices 


5,000+  applications 

Approx.  90,000  full-time  employees 

These  are  the  final  briefing  slides  as  approved  by  the  Defense 

Business  Board  in  the  public  meeting  held  January  19,  2012.  *  ^  DEFENSE  BUSINESS  BOARD  C.  ) 


At  best  estimates,  DoD  controls  over  772  data  centers  with 
operations  at  over  6,000  separate  locations.  The  DoD  IT  enterprise  serves 
over  three  million  networked  users  on  70,000  servers  and  seven  million  IT 
devices.  These  devices  run  over  5,000  different  applications.  It  is 
estimated  that  it  currently  takes  90,000  employees  to  accomplish  daily 
operations  and  maintenance  of  the  DoD  IT  enterprise.  Currently,  DoD  is 
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unable  to  audit  specific  spending  on  IT  systems  outside  the  IT  budget,  and 
as  such,  it  is  estimated  that  the  actual  amount  spent  on  IT  systems  could 
be  significantly  greater  than  budgeted  due  to  use  of  operations  and 
maintenance  funds  at  local  levels  to  augment  the  formally  budgeted 
allotment  for  IT.  Also,  this  budget  does  not  include  IT  purchased  as  part  of 
major  weapons  systems,  which  is  normally  budgeted  within  each  specific 
program. 

The  current  IT  enterprise,  across  the  Services  and  Agencies  of  DoD, 
lacks  common  terminology,  accounting  transparency,  and  overall  visibility. 
Similar  to  many  private-sector  network  designs,  DoD  network  capabilities 
were  created  out  of  necessity  for  specific,  functional  requirements.  These 
designs  filled,  and  are  filling,  needs  of  the  warfighter.  However,  as  seen  in 
the  private  sector,  there  is  a  point  where  a  system  becomes  resource¬ 
intensive  both  in  manpower  and  maintenance. 

The  computer  industry  has  made  leaps  in  computing  power  and  data 
storage  which,  along  with  increased  bandwidth  capability,  allows  for  a 
change  in  the  service  delivery  model  for  IT.  The  new  model  has  been 
shown  to  provide  benefits  in  both  cost  savings  and  operational  agility  in  the 
private  sector.  Another  benefit  to  the  new  model  is  increased  visibility 
across  the  entire  network. 

Security  is  a  primary  concern  with  IT  systems  worldwide.  There  is 
growing  consensus  that  not  only  are  cloud-based  systems  likely  to  be  more 
secure,  but  that  the  security  of  current  non-cloud  systems  will  decline 
rapidly  over  time.  It  will  become  harder  and  increasingly  expensive  to 
maintain  and  secure  legacy  systems.  Consolidated  data  centers  and 
properly  designed  cloud  systems  can  be  more  secure  due  to  the  fact  that 
there  are  fewer  of  them,  and  proportionally  greater  resources  can  be 
applied  to  them  in  order  to  increase  redundancy  and  strengthen  the  ability 
to  recover  and  reconstitute  after  a  breach. 

Despite  human  and  institutional  nature  to  resist  change,  many  of  the 
interviewees  indicated  wide  support  across  DoD  for  DCC  and  Cloud 
computing  initiatives.  These  initiatives  would  provide  efficiency  and 
capability  benefits.  The  strategic  question  to  answer  is  “At  what  level 
should  the  DoD  optimize  its  IT  modernization?”  In  response  to  this 
question,  the  Task  Group  identified  five  key  recommendations. 
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RECOMMENDATIONS 

1 .  Establish  a  single  strong  governance  authority.  This  was  the 
most  critical  point  that  the  Task  Group  heard  repeatedly  in  the  private 
sector  interviews.  The  authority  to  direct  coordinated  changes  across 
the  entire  enterprise  is  critical  to  achieving  desired  operational 
performance  and  system  efficiency.  It  should  be  noted  that  DoD  has 
already  begun  to  implement  elements  of  this  recommendation.  For 
example,  the  DEPSECDEF’s  directive-type  memorandum  dated 
January  1 1 , 201 2  titled  “Disestablishment  of  the  Assistant  Secretary 
of  Defense  for  Networks  and  Information  Integration  and  Related 
Matters.”1  In  this  letter,  the  DoD  Chief  Information  Officer  is 
designated  as  the  “...primary  authority  for  the  policy  and  oversight  of 
information  resources  management,  to  include  matters  related  to 
information  technology,  network  defense,  and  network  operations.” 

2.  Develop  a  coordinated,  integrated  strategy  to  optimize  at  the 
DoD  level.  A  modernization  effort  at  the  Service  or  Agency  level  of 
DoD,  rather  than  at  the  highest  level,  increases  the  risk  of  operational 
barriers  and  will  not  maximize  effective  use  of  resources.  Large 
private  sector  firms  with  operations  spread  over  wide  geographic 
areas  have  noted  increased  operational  capabilities  and  more 
effective  use  of  resources  when  their  IT  modernization  was  led  at  the 
highest  levels.  Today’s  Joint  warfare  concepts  require  warfighter 
access  to  data  and  information  systems  that  cross  Military  Service, 
Combatant  Command,  and  Defense  Agency’s  boundaries.  Military 
Service  IT  professionals  will  always  have  a  responsibility  to  their 
respective  Military  Service,  but  they  will  also  carry  a  responsibility  to 
follow  policy  directives  from  DoD  regarding  adherence  to  a  concept  of 
operations,  performance  metrics,  and  established  standards.  This 
will  result  in  a  we  1 1 -coordinated  matrix-type  organization  for  the 
implementation  of  the  IT  modernization  effort. 


1  “Disestablishment  of  the  Assistant  Secretary  of  Defense  for  Networks  and  Information  Integration  (ASD(NII))  and 
Related  Matters,”  OSD  15075-11. 
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3.  Streamline  legal  and  procurement  authorities  to  address  policy 
barriers.  U.S.  Code  Title  10  prescribes  responsibility  for  specific 
systems.  However,  those  with  responsibility  must  regard  the  overall 
interaction  of  their  IT  systems  across  the  DoD  enterprise  when 
executing  decisions  based  on  their  responsibility  and  coincident 
authority.  Also,  the  current  acquisition  system  sometimes  cannot 
keep  pace  with  software  and  hardware  advances  that  occur  over  a 
period  of  weeks  or  even  days.  Provisions  should  be  explored  for 
rapid  acquisition  of  IT  systems  that  can  be  established  as  common 
solutions  across  the  Military  Services,  Defense  Agencies,  and 
Combatant  Commands. 

4.  Use  a  sequenced  approach  to  Data  Center  Consolidation.  Proper 
sequencing  is  vital  to  a  favorable  modernization  and  consolidation 
outcome.  The  first  step  is  to  normalize,  standardize,  and  rationalize 
critical  elements.  This  step  will  highlight  the  truly  important  and  highly 
utilized  IT  systems.  The  second  step  is  to  prioritize  around 
applications,  then  infrastructure,  and  then  data  and  security.  This 
step  will  form  the  backbone  of  the  new  architecture  and  establish  the 
model  for  integration  of  systems.  The  third  step  is  to  set  deadlines  for 
the  termination  of  legacy  systems,  personnel,  and  contractors.  This 
step  is  important  to  effectively  utilize  resources  and  ensure  a  full 
transition  to  the  modernized  architecture.  The  fourth  step  is  to  launch 
Cloud  pilot  initiatives  offering  immediate  user  benefits.  This  step  will 
entice  those  who  have  been  apprehensive  about  the  changes  and 
create  a  “market  pull”  from  users  who  want  the  enhanced  capabilities 
and  a  more  effective  use  of  their  resources.  The  fifth  and  final  step  is 
to  accelerate  the  transition  when  the  purpose  and  desired  benefits 
are  clear.  This  step  will  apply  momentum  to  the  transition  and 
provide  a  point  to  validate  the  original  concept  of  operation. 

5.  Utilize  commercial  business  models  to  set  targets  and  manage 
expectations.  Data  Center  Consolidation  and  transition  to  Cloud 
computing  will  provide  benefits,  but  applicable  metrics  must  be 
established  and  tracked  to  ensure  compliance  with  intended  goals. 
Additionally,  accurate  accounting  practices  are  necessary  to  track 
total  cost  savings  and  allow  relocations  to  fund  additional 
modernization  efforts.  This  accountability  will  require  a  multi-year 
budget  plan  and  require  audit-level  transparency.  Successful  private 
ventures  have  relied  on  the  investment  of  at  least  some  of  the 
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savings  in  updated  infrastructure  and  applications.  Modification  of 
the  original  concept  of  operations  may  be  necessary  to  ensure 
continuous  improvement. 

Staff  optimization  is  another  important  consideration. 
Organizations  that  have  already  transitioned  to  Cloud  systems  have 
re-tasked  their  IT  workforce.  What  used  to  be  a  60%  infrastructure 
support  and  a  40%  programming  and  application  workforce  mix 
changed  under  a  Cloud  structure.  Under  the  Cloud  system,  40%  of 
employees  could  handle  the  infrastructure  support  workload,  allowing 
60%  to  work  on  programming  and  applications.  Training  of  these 
employees  will  be  necessary  during  the  transition  but  will  generate 
value  over  time  with  introduction  of  enhanced  capability  from 
increased  manpower  focused  on  applications  and  software. 


Examples  of  Cost  Savings  and  Efficiencies 


CATEGORY 

REDUCTION 

EXAMPLE 

Data  Centers 

Number:  50% 

Cost:  25-50% 

Typical  payback  is  5  years 

Servers 

70% 

80  -*■  4;  leverage  virtual  machines 

Server 

Provisioning 

95% 

73  days  — ►  less  than  1  day 

Application 

Development 

90% 

45  days  — *■  4  days 

Bandwidth 

Utilization 

70-90% 

ROI  in  less  than  1  year 

Personnel 

40% 

Most  organizations  retrain  support  staff 
into  applications  staff 

Cost-saving  estimates:  25-50%  in  total  annual  expenditures 
DCC/Cloud  initiatives  illuminated  robust  ‘shadow’  IT  infrastructure. 

These  are  the  final  briefing  slides  as  approved  by  the  Defense 

Business  Board  in  the  public  meeting  held  January  19,  2012.  *  ^  DEFENSE  BUSINESS  BOARD  (  } 
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CONCLUSION 

IT  Modernization  in  the  form  of  Data  Center  Consolidation  and 
transition  to  a  Cloud  structure  is  a  strategic  DoD  enterprise-level 
imperative.  The  DoD  CIO  should  be  the  strategic  partner  to  the  Deputy 
Secretary  of  Defense  empowered  to  implement  the  Department’s  IT 
Enterprise  Strategy  and  Roadmap. 

Respectfully  submitted, 


David  Langstaff 
Task  Group  Chair 
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TERMS  OF  REFERENCE 
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DEPUTY  SECRETARY  OF  DEFENSE 
1010  DEFENSE  PENTAGON 
WASHINGTON.  DC  20301-1010 


may  2  0  2011 


MEMORANDUM  FOR  CHAIRMAN.  DEFENSE  BUSINESS  BOARD  (DBB) 

SUBJECT:  DBB  Terms  of  Reference  -  ‘‘Information  Technology  Modernization” 

The  Department  of  Defense's  S38  Billion  FY12  Information  Technology  (IT)  budget 
supports  our  global  military  activities  and  operations.  The  Department’s  IT  infrastructure  and 
environment  is  highly  complex.  DoD  operates  approximately  10,000  operational  systems 
running  on  1 5,000  networks  using  67,246  servers  and  772  data  centers  spanning  146  countries 
and  6,000  locations.  This  complexity  has  created  numerous  operating  challenges,  including: 
cyber  vulnerabilities,  decentralized  planning  and  standards,  impediments  to  joint  and  allied 
operations,  large  cumulative  costs,  and  an  inability  to  capitalize  on  rapidly  evolving  technology. 
For  these  reasons,  it  is  imperative  that  the  Department  identify  and  pursue  every  opportunity  to 
economize  and  increase  the  efficiency  of  its  IT  enterprise. 

As  the  Department’s  independent  advisory  board  for  economics  and  business  affairs,  I 
request  you  form  a  Task  Group  to  provide  recommendations  on  how  DoD  should  apply  best 
business  practices  to  assess  and  approach: 

•  IT  data  center  consolidation  to  increase  the  efficiency  and  modernize  the  DoD  IT 

enterprise. 

•  Opportunities  for  the  efficient,  effective,  and  secure  implementation  of  cloud  computing 

to  support  the  Department’s  business  operations  and  warfighting  mission 

•  Security  concerns  associated  with  both  data  center  consolidation  and  cloud  computing 

The  Task  Group  will  be  sponsored  by  me  and  co-sponsored  by  the  Acting  Assistant 
Secretary  of  Defense  for  Networks  and  Information  Integration/DoD  Chief  Information  Officer. 
Mr.  David  Langstaff  will  chair  the  Task  Group.  Captain  Ronald  Carr,  U.S.  Navy,  will  serve  as 
the  Task  Group’s  Military  Advisor. 

This  effort  should  be  completed  by  the  DBB’s  October  2011  Board  meeting. 

As  a  subcommittee  of  the  Board,  and  pursuant  to  the  Federal  Advisory  Committee  Act  of 
1972,  the  Government  in  the  Sunshine  Act  of  1976.  and  other  appropriate  federal  regulations, 
this  Task  Group  shall  not  work  independently  of  the  Board’s  charter  and  shall  report  its 
recommendations  to  the  full  Board’s  public  deliberation.  The  Task  Group  does  not  have  the 
authority  to  make  decisions  on  behalf  of  the  Board,  nor  can  it  report  directly  to  any  federal 
officer  who  is  not  also  a  Board  member.  The  Task  Group  will  avoid  discussing  “particular 
matters”  according  to  title  18,  U.S.C.,  section  208. 
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FINDINGS  AND  RECOMMENDATIONS 
PROVIDED  TO  THE  BOARD  ON  JANUARY  19,  2012 
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DoD  Information  Technology  Modernization: 
A  Recommended  Approach  to  Data  Center 
Consolidation  and  Cloud  Computing 

Task  Group 

January  19,  2012 


Task  Group  Overview 


Terms  of  Reference 

How  should  the  Department  of  Defense  (DoD)  apply  best  business  practices  to 
Information  Technology  (IT)  modernization,  Data  Center  Consolidation  (DCC),  and  the 
efficient,  effective,  and  secure  implementation  of  Cloud  computing  to  support  DoD 
business  approaches  and  its  war-fighting  mission? 

Task  Group 

Mr.  David  Langstaff  (Chair) 

Ms.  Bonnie  Cohen 
Mr.  Patrick  Gross 
Mr.  Atul  Vashistha 
Mr.  Kevin  Walker 

Military  Assistant 

Lt  Col  Edward  Lengel,  USAF 
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Task  Group  Report 


■  Approach 

■  Context 

■  Findings 

■  Recommendations 

■  Summary 

■  Appendix 


Approach:  Critical  Considerations 


■  Align  with  DoD  mission  requirements 

-  Do  no  harm 

-  Support  and  enhance  DoD  mission 

■  Recognize  cost  saving  imperative 

-  Identify  cost  reductions 

-  Seek  operating  efficiency  and  asset  utilization  gains 

-  Consider  positioning  for  future  gains 

■  Address  security  concerns 

-  Understand  current  system  risks  and  vulnerabilities 

-  Understand  cloud-specific  risks 

-  Mitigate  transition  as  well  as  ongoing  operating  risks 

■  Identify  and  capture  ‘lessons-learned’  experiences 

-  Public  sector:  DoD  and  other  government  agencies 

-  Private  sector:  industry,  service  providers,  domain  experts,  and  consultants 
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Approach:  Interviews 


■  Public  Sector  ■ 

Private  Sector 

-  CIO  and  Staff,  DoD 

-  Amazon 

-  CIO,  US  Air  Force 

-  Chevron 

-  CIO,  US  Army 

-  Citigroup 

-  CIO,  US  Navy 

-  CGI 

-  CIO,  Defense  Intelligence  Agency 

-  CSC 

-  CIO,  Defense  Logistics  Agency 

-  First  Data  Corporation 

-  CIO,  Dept  of  Homeland  Security 

-  Forrester  Research 

-  CIO,  US  Government 

-  Gartner  Group 

-  Director  and  Staff,  NSA 

-  IBM  Corporation 

-  Vice  Chairman,  Joint  Chiefs  of  Staff 

-  Kimberly  Clark  Corporation 

-  Principal  Deputy  Under  Secretary  of 

-  Palantir 

Defense,  AT&L 

-  Director  of  Computing  Services  and  CTO, 
Defense  Information  Services  Agency 

-  Thompson,  Cobb  &  Bazilio 

■  See  Appendix  for  documents  reviewed 
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Context:  DoD  IT  Today 


FY12  DoD  IT  Budget  $38.5B 


DoD  IT  Scale 

772+  data  centers 
6,000+  locations;  15,000+  networks 
70,000+  servers;  3  million+  networked  users 


Telecommunications 
$9.9  Billion/41  % 


Non-Infrastructure 
(Systems  Acquisition) 
$14.5  Billion 
38% 


DoD  IT  Infrastructure  $24.0B 


Infrastructure 
$24  Billion 
62% 


End  User  Systems 
$5.1  Billion/21% 


Infrastructure  Support 
$6.5  Billion/27% 


Mainframes  &  Servers 
$2.5  Billion/1 1% 


7  million+  IT  devices 


5,000+  applications 

Approx.  90,000  full-time  employees 
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Context:  DoD  Readiness  for  DCC/Cloud 


■  Interviews  indicate  wide  support  across  DoD  for  DCC/Cloud 

-  Cost  savings  and  efficiency  benefits  are  widely  understood 

-  Budget  imperatives  create  environment  for  making  major  changes 

-  Early  DoD  initiatives  already  showing  positive  results 

■  Despite  stated  willingness  to  work  together,  passive  resistance  is  likely 

-  Loss  of  visibility,  control,  dedicated  staff,  and  contractors 

-  Required  cultural  and  job  changes  will  pose  significant  challenges 

-  Requests  for  exceptions  will  proliferate 

■  Concerns  expressed  about  loss  of  mission  capability 

-  Particular  concern  expressed  about  migration  process 

-  Recognition  that  current  workforce  may  be  inadequately  trained 

-  Desire  for  greater  transparency,  service  focus  on  output  metrics,  and  service- 
provider  accountability 


Key  issue  requiring  explicit  decision:  IT  optimization  at  what  level? 
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Cost  Savings 

Return  on  Investment  (ROI) 
Security 

Mission  Effectiveness 
Mission  Transformation 


Implementation 


ngs 
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Findings:  Visible  and  Hidden  Costs  &  Spending 


/im 
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Examples  of  Cost  Savings  and  Efficiencies 


CATEGORY 

REDUCTION 

EXAMPLE 

Data  Centers 

Number:  50% 

Cost:  25-50% 

Typical  payback  is  5  years 

Servers 

70% 

80  — >  4;  leverage  virtual  machines 

Server 

Provisioning 

95% 

73  days  — ►  less  than  1  day 

Application 

Development 

90% 

45  days  — ►  4  days 

Bandwidth 

Utilization 

70-90% 

ROI  in  less  than  1  year 

Personnel 

40% 

Most  organizations  retrain  support  staff 
into  applications  staff 

Cost-saving  estimates:  25-50%  in  total  annual  expenditures 
DCC/Cloud  initiatives  illuminated  robust  ‘shadow’  IT  infrastructure. 
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Findings:  Return  on  Investment 


■  Private  sector  ROI  tends  to  be  case-specific;  often  DCC/Cloud 
migrations  are  combined  with  other  initiatives 

■  However,  some  conclusions  can  be  drawn: 

-  ROI  achieved  consistently  ahead  of  projected  goals  in  both  dollars  and  time 

-  Sustained  reductions  achieved  only  with  initial  up-front  investment 

-  Unanticipated  positive  secondary  effects  were  considerable 

■  Continuation  of  status  quo  has  a  negative  ROI 

■  Additional  non-IT  ‘invisible’  ROI  achieved  by  reduction  of  procurement 
and  deployment  cycles  and  redeploying  staff  to  higher  value  activities 


While  there  are  no  ‘rules  of  thumb’  regarding  ROI  benchmarks,  in  all 
reported  cases  ROI  was  greater  than  originally  anticipated. 
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Findings:  Security 


Myth: 

Reality: 

■  Myth: 
Reality: 

■  Myth: 
Reality: 


Cloud-based  systems  are  ‘less  secure’ 

Current  systems  are  difficult  to  defend 

Security  will  decline  over  time 

Properly  designed  Cloud  systems  can  be  more  secure 


Cloud  will  lead  to  lower  performance  levels  for  the  user 
Cloud  can  offer  enhanced  and  breakthrough  performance 


‘All  eggs  in  one  basket’  creates  a  new  critical  failure  risk 

Realistically,  the  data  never  goes  to  ‘one  basket’ 

Cloud  provides  greater  insurance  against  critical  failure  risks 
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Findings:  Mission  Effectiveness 


■  Significant  benefits  came  from  unexpected  areas 

-  Increased  speed  of  data  to  users;  facilitated  information  sharing  and  collaboration 

-  Greater  enterprise  understanding  due  to  increased  visibility  across  all  operations 

-  Staff  productivity  improvement  due  to  shift  of  focus  from  infrastructure  maintenance  to 
applications  development,  support,  and  service 

■  Large  gains  derived  from  change  in  personnel/staffing  model 

-  Staff  can  be  where  best  talent  resides;  does  not  need  to  be  location-specific 

-  Fewer  systems,  networks,  and  enclaves  require  support 

-  Allows  significant  reduction/redeployment  of  contractor  staff 

■  Current  system  hurts  effective  mission  operations 

-  Architecture  makes  it  nearly  impossible  to  share  critical  data  on  a  timely  basis 

-  Proprietary  systems  and  closed  architecture  make  in-theater  upgrades  difficult 

-  Lack  of  common  standards  make  collaboration  difficult 

-  Lack  of  portable  ID  forces  individuals  to  be  ‘reinvented’  with  every  change 

-  Weak  security  creates  need  for  more  enclaves  and  dedicated  networks 
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Findings:  Mission  Transformation 


■  Enables  ‘thinner’  computing  and  new  operating  model 

-  Reduces  hardware,  software,  upgrade,  and  maintenance  costs 

-  Increases  quality  and  timeliness;  decreases  risks  of  ‘in-theater’  support 

-  Increases  portability  of  IT  systems;  lowers  risks  of  loss;  improves  mission  security 

■  Increases  value  of  data;  improves  situational  awareness 

-  Decreases  fragmentation  of  data;  increases  accessibility 

-  Facilitates  ‘big  data’  analytics 

■  Changes  balance  and  costs  of  network  defense/attack 

-  Decreases  points  of  entree;  fewer  networks  to  penetrate 

-  Enables  stronger  security,  redundancy,  and  recovery;  allows  more  rapid  upgrades 

-  Increases  required  sophistication  and  costs  to  attackers 

■  Shifts  emphasis  of  cyber  security  from  network  protection  to  data 
integrity  and  identification/authentication 

■  Provides  platform  for  future  innovation 

14  rT ' 

DEFENSE  BUSINESS  BOARD  <  > 

v 


Findings:  Implementation  -  Authority 


■  Strong  governance  and  leadership  are  the  most  important  factors 

-  Without  it  the  initiative  will  fail;  must  be  ‘owned’  by  CEO,  not  CIO 

-  Must  have  authority  to  say  ‘no’;  passive  resistance  can  not  be  tolerated 

■  Establishing  clear  strategy  and  ‘Concept  of  Operations’  is  essential 

-  Address  both  transition  and  steady-state  operations 

-  Include  risk  analysis  and  mitigation  strategies 

-  Focus  on  training  and  retraining  of  personnel 

-  Develop  specific  milestones,  deadlines,  and  metrics 

■  Legal  and  policy  barriers  work  against  success;  must  be  resolved 

-  Title  10  sets  redundant  authorities  over  business  systems 

-  Requirement  that  every  Service  must  ‘own  its  own  data’  is  unclear 

-  Federal  acquisition  regulations  are  out  of  synch  with  speed  of  technology  change 
and  evolving  mission  requirements 
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Findings:  Implementation  -  ‘Aim’  before  ‘Fire’ 


Current  system  configurations  will  be  difficult  to  rationalize  and 
maintain  given  proliferation  of  systems  across  DoD 

■  Successful  migrations  have  followed  a  sequenced  approach: 

-  Step  1 :  Applications  normalization,  standardization,  and  rationalization 

-  Step  2:  Data  center  rationalization  and  consolidation 

-  Step  3:  Data  and  security  rationalization 

-  Step  4:  Cloud  migration  of  appropriate  components 

■  Standardization  on  numerous  fronts  will  strengthen  security 

■  Consolidation  and  Cloud  initiatives  are  already  underway  but  may  be 
inconsistent  with  goal  to  optimize  at  DoD  enterprise  level 

■  Sequenced  approach  to  migration  will  provide  transparency,  build 
confidence,  and  reduce  risk 
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Findings:  Implementation  -  Change  Management 


Incentives  around  common  goals  are  critical  to  changing  behavior 

-  Early  successes  were  encouraged,  visible,  and  rewarded 

-  Applying  some  of  savings  to  fund  future  upgrades  delivered  long-term  buy-in 

-  Emphasis  on  staff  retraining  rather  than  reduction  created  powerful  motivator 

■  Encourage  pilot  programs;  don’t  fight  the  entire  system 

-  Build  on  current  initiatives  as  long  as  compatible  with  strategy  and  Concept  of 
Operations  (ConOps) 

-  Create  ‘user-pull’  by  moving  desirable  and  ‘easy/safe’  apps  to  Cloud  first 

-  Communicate  benefits  and  value  of  the  change  (steady-state),  not  the  process 

■  Risk  Management 

-  Sequenced  approach  to  migration  will  greatly  reduce  risk 

-  Use  commercially-proven  technology  where  possible;  avoid  the  ‘cutting  edge’ 

-  Expertise  and  track  record  are  key 


Owners  must  be  willing  to  trade  control  for  greater  efficiency, 
lower  costs,  and  increased  effectiveness . 
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Recommendations 


1 .  Establish  single  strong  governance  authority 

DEPSECDEF  must  ‘own’  initiative;  CIO  drives  effort,  but  it  cannot  be  a  CIO  initiative 

-  CIO  must  have  ability  to  drive  change,  say  ‘no,’  and  force  compliance 
CIO  must  develop  standardized  and  transparent  metrics  across  DoD 
Do  not  create  a  new  committee  to  oversee  effort;  will  create  confusion 

2.  Develop  a  coordinated,  integrated  strategy  to  optimize  at  the  DoD  level 

Establish  clear  timeline,  milestones,  budget,  and  Concept  of  Operations 

Engage  Service/Agency  CIOs  as  chief  implementers  accountable  to  the  DoD  CIO 

Leverage  DISA  role;  insist  on  commercial-like  service  level  agreements,  metrics, 
and  accountability 

3.  Streamline  legal  and  procurement  authorities  to  address  policy  barriers 

-  Align  Title  10  responsibilities  with  IT  modernization  governance  authority 
Establish  rapid  and  consolidated  procurement  capability  for  IT  purchases 
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Recommendations 


4.  Use  sequenced  approach  to  data  center  consolidation 

Normalize,  standardize,  and  rationalize  critical  elements  first 
Prioritize  around  applications,  then  infrastructure,  and  then  data/security 
Set  deadlines  for  termination  of  legacy  systems,  personnel,  and  contractors 
Launch  Cloud  pilot  initiatives  that  offer  immediate  user  benefits 
Accelerate  Cloud  when  its  purpose  and  desired  benefits  are  clear 

5.  Utilize  commercial  business  model  to  set  targets/manage  expectations 

Establish  multi-year  budget  plan;  require  audit-level  transparency;  use  ROI  metric 

Develop  shared  model  to  enable  both  savings  and  capability  upgrades 

Establish  specific  output-based  metrics  for  transition,  operations,  continued 
business  improvement,  and  mission  support 

Optimize  staff  for  new  work  mix/model;  invest  in  training 

Utilize  DoD  incentive  and  reward  programs  to  drive  behavioral  changes 
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Summary 


■  DCC/Cloud  is  a  strategic  DoD  enterprise-level  imperative 

-  DoD  CIO  has  a  good  roadmap  and  can  drive  initiative  on  behalf  of  DEPSECDEF 

-  DoD  CIO  needs  to  be  a  strategic  partner,  not  a  back-office  support  provider 

■  Benefits  are  dramatic  and  far-reaching 

-  Cost  savings,  efficiency  gains,  and  security  enhancements  are  significant 

-  New  architecture  provides  platform  for  future  innovation 

-  Mission  support  improvement  and  ultimate  transformation  are  greatest  benefits 

■  Failure  to  act  decisively  is  a  decision,  and  the  wrong  one 

-  DoD  initiatives  are  already  underway;  independent  and  uncoordinated  actions 
will  increase  barriers  to  coordination  and  information  sharing 

-  Costs  will  skyrocket  and  service  levels  will  decrease  given  need  to  maintain 
legacy  systems;  future  rationalization  will  be  harder  and  more  expensive 

-  Security  will  fall  further  behind,  leaving  entire  IT  network  increasingly  vulnerable 

-  IT  costs  (given  DoD  ‘color  of  money’)  are  a  direct  tradeoff  with  warfighter  needs 
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Questions? 


Defense  Business  Board 

Business  Excellence  In  Defense  of  the  Nation 


DEFENSE  BUSINESS  BOARD 


Appendix 


Defense  Business  Board 

Business  Excellence  In  Defense  of  the  Nation 


Documents  Reviewed 


DoD  documents  and  briefings 

“Defense  Information  Infrastructure:  Rationale  for  Defense  Management  Report 
Decision  (DRMD)  918,”  Cynthia  Kendall,  Deputy  Assistant  Secretary  of  Defense 
(Information  Systems),  September  1992 

■  Defense  Intelligence  Agency  Strategic  Vision  Overview  201 2-201 6 

“Department  of  Defense  Information  Technology  Enterprise  Strategy  and  Roadmap,” 
DoD  Chief  Information  Officer,  September  6,  201 1 

“Department  of  the  Navy  Information  Management/Information  Technology/  Cyberspace 
Campaign  Plan  for  Fiscal  Years  2011-2013,”  Terry  Halvorsen,  DON/CIO,  May  2011 

■  Federal  Data  Center  Consolidation  Initiative;  Department  of  Defense  201 1  Data  Center 
Consolidation  Plan  &  Progress  Report,  November  8,  201 1 

■  Remarks  by  Deputy  Secretary  Lynn  at  the  201 1  DISA  Customer  and  Industry  Forum, 
Baltimore,  MD,  August  16,  201 1 

■  Title  10  USC;  Subtitle  A;  Part  IV;  Chapter  131 ;  Section  2222  Defense  business  systems: 
architecture,  accountability  and  modernization;  January  2009 
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Documents  Reviewed 


US  Government  documents 

■  “25  Point  Implementation  Plan  to  Reform  Federal  Information  Technology 
Management,”  Vivek  Kundra,  U.S.  Chief  Information  Officer,  December  2010 

“Cyberspace  Policy  Review:  Assuring  a  Trusted  and  Resilient  Information  and 
Communications  Infrastructure,”  The  White  House,  May  29,  2009 

“Data  Center  Consolidation;  Agencies  Need  to  Complete  Inventories  and  Plans  to 
Achieve  Expected  Savings,”  Government  Accounting  Office  Report  11-565,  July  201 1 

“Information  Security:  Additional  Guidance  Needed  to  Address  Cloud  Computing 
Concerns,”  Gregory  C.  Wilshusen,  GAO  12-130T,  October  6,  2011 

“Information  Security:  Federal  Guidance  Needed  to  Address  Control  Issues  with 
Implementing  Cloud  Computing,”  Government  Accounting  Office  Report  GAO  10-513, 
May  2010 

“Memorandum  for  Chief  Information  Officers,  Subject:  Security  Authorization  of 
Information  Systems  in  Cloud  Computing  Environments,”  Steven  VanRoekel,  Federal 
CIO,  December  8,  201 1 

■  “State  of  Public  Sector  Cloud  Computing,”  Vivek  Kundra,  Federal  CIO,  May  20,  2010 
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Documents  Reviewed 


US  Government  documents  (cont’d) 

“VA  Information  Technology  Strategy,”  Statement  of  Joel  Willemssen,  Managing 
Director,  Information  Technology  U.S.  Government  Accountability  Office  before  the 
House  Veterans  Affairs  Subcommittee  on  Oversight  and  Investigations 

Industry  reports  and  reference  material 

■  “IT  Service  and  Cloud  Computing  Transformation  Strategy,”  Gartner  Consulting, 
September  201 1 

■  “Cloud  First  Buyers  Guide  for  Government,”  TechAmerica  Foundation 

“Security  Risks  in  Cloud  Computing;  a  Preliminary  View  from  the  IREC  Membership,” 
Information  Risk  Executive  Council,  2010 

“Enterprise  Data  Center  Consolidation  in  the  States:  Strategies  and  Business 
Justification,”  NASCIO,  August  2007 

“Hype  Cycle  for  Virtualization,”  Philip  Dawson,  Gartner,  Inc.,  July  22,  2010 

“Key  Issues  for  Securing  Public  and  Private  Cloud  Computing,  2011,”  John  Pescatore, 
Gartner,  Inc.,  April  15,  2011 

“Amazon’s  Corporate  IT  Migrates  Business  Process  Management  to  the  Amazon  Web 
Services  Cloud,”  Amazon  Web  Services,  April  201 1 
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Documents  Reviewed 


Press  articles  and  speeches 

“A  Break  in  the  Clouds:  Towards  a  Cloud  Definition,”  Luis  Vaquero,  et  al 

“Federal  IT  Needs  A  Cost-Savings  Dashboard,”  John  Foley,  InformationWeek 
Government ,  December  12,  201 1 

“GAO  Faults  Pentagon  Cyber  Efforts,  Lack  Of  Clarity,”  Ellen  Nakashima,  Washington 
Post,  July  26,  201 1 

“Military  Networks  'Not  Defensible,'  Says  General  Who  Defends  Them,”  Noah 
Shachtman,  Danger  Room  (Wired.com),  January  12,  2012 

“Navy,  Marine  Corps  Under  Orders  To  Slash  IT  Spending,”  Nicole  Blake  Johnson, 
Federal  Times,  August  10,  201 1 

■  “Navy  Details  Data  Center  Consolidation  Plan,”  Bob  Brewin,  /VEX7GO\/July  26,  201 1 

“Preparing  for  the  Real  Costs  of  Cloud  Computing,”  Bob  Violino,  Computerworld, 
December  5,  201 1 

“Selling  Umbrellas  in  the  Rain,”  Dean  lacovelli,  www.public-cio.com,  February  201 1 

■  “The  Agile  Infrastructure;  Digital  Spotlight  Datacenters,”  Robert  L.  Scheier, 
Computerworld,  December  201 1 
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Documents  Reviewed 


Press  articles  and  speeches  (cont’d) 

■  “The  Conning  Cyber  Wars,”  Richard  Clarke,  Boston  Globe,  July  31 , 201 1 

“Under  Pressure:  The  Pentagon  Faces  a  Business  Challenge  at  Military  Scale,”  John 
Foley,  InformationWeek,  November  28,  201 1 
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